Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d
commit0f75a62e2c4fb1b6ef8db6f2e5c10ff29f95322d[log] [tgz]
authorNathan Harold <nharold@google.com>Wed Apr 05 19:37:58 2017 -0700
committerNathan Harold <nharold@google.com>Wed Apr 12 11:32:18 2017 -0700
tree60e8c3c46692d9e23be5b989de616f8bf238cb79
parentb7cb45f0d2206c5c9618062918d5f47e5e6ad6b0 [diff]
Allow UDP Sockets to be returned from IpSecService

These permissions allow the system server to create and
bind a UDP socket such that it gains the SOCK_BINDPORT_LOCK.
(ref: af_inet.c - inet_bind()) This prevents the user from
disconnecting the socket, which would create a security
vulnerability. The user may then use the provided socket,
which is always IPv4/UDP, for IKE negotiation. Thus, an
un-trusted user app must be able to use the socket for
communication.

-ALLOW: read, write, connect, sendto, and recvfrom.
-NEVERALLOW: anything else

Bug: 30984788
Test: CTS tested via IpSecManagerTest:testUdpEncapsulationSocket

Change-Id: I045ba941797ac12fd14a0cce42efdd2abc4d67e0
1 file changed
tree: 60e8c3c46692d9e23be5b989de616f8bf238cb79
  1. private/
  2. public/
  3. reqd_mask/
  4. tools/
  5. vendor/
  6. Android.mk
  7. CleanSpec.mk
  8. MODULE_LICENSE_PUBLIC_DOMAIN
  9. NOTICE
  10. PREUPLOAD.cfg
  11. README